Kubernetes CKA sample exam question 70 with answer

Question
Check how long the kube-apiserver server certificate is valid on cluster2-master1.
Do this with openssl and write the expiration date to /opt/course/22/expiration.
Also run the correct kubeadm command to list the expiration dates and confirm both methods show the same date.
Write the correct kubeadm command that would renew the apiserver certificate into /opt/course/22/kubeadm-renew-certs.sh

Answer
SSH to the node:

ssh cluster2-master1

Display api-server manifest and grep it for crt:

cat /etc/kubernetes/manifests/kube-apiserver.yaml |grep crt

the target file would be /etc/kubernetes/pki/apiserver.crt.
Use openssl to view the validity:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text|grep -i validity -A2

Place the output to the /opt/course/22/expiration:

Not After : Oct  5 21:25:30 2025 GMT

To check the same with kubeadm:

kubeadm certs check-expiration

Renew certs task:

kubeadm certs renew api-server
echo "kubeadm certs renew api-server" > /opt/course/22/kubeadm-renew-certs.sh

Test renewal:

bash /opt/course/22/kubeadm-renew-certs.sh
kubeadm certs check-expiration